US20150163227A1

Movatterモバイル変換

Info

Publication number: US20150163227A1
Application number: US14/591,317
Authority: US
Inventors: Gregory J. Boss; Andrew R. Jones; Charles S. Lingafelt; Kevin C. McConnell; John E. Moore, JR.
Original assignee: International Business Machines Corp
Current assignee: International Business Machines Corp
Priority date: 2011-07-27
Filing date: 2015-01-07
Publication date: 2015-06-11
Anticipated expiration: 2031-07-27
Also published as: US8943413B2; US20130031480A1; US8756509B2; US9137253B2; US20140245429A1; US9231958B2; US20150312261A1

Abstract

Description

This application is a continuation application claiming priority to Ser. No. 14/269,565 filed May 5, 2014 which is a continuation application of Ser. No. 13/191,564 filed Jul. 27, 2011, now U.S. Pat. No. 8,756,509 issued Jun. 17, 2014.

TECHNICAL FIELD

The present invention relates to a data processing method and system for controlling access to information technology resources, and more particularly to a data processing technique for controlling access to resources using a visual rendering of access controls.

BACKGROUND

Known techniques for access control of information technology resources (e.g., computer files) employ traditional access control and/or mutually exclusive access control. Traditional access control ensures that an entity accessing a resource has certain attributes that match access control requirements. Mutually exclusive access control designates certain entities as incompatible so that the designated entities are not permitted to access a particular resource at the same time. The known access control techniques are based on access control lists and/or text-based rules, which are non-intuitive, error-prone, and difficult to use. Thus, there exists a need to overcome at least one of the preceding deficiencies and limitations of the related art.

BRIEF SUMMARY

Embodiments of the present invention provide a method of controlling access to IT resources. The method comprises:

a computer initiating a display including a visual representation of the resource and a visual representation of a first entity;

the computer receiving an assignment of an access control requirement to the visual representation of the resource;

the computer receiving an assignment of a first attribute to the visual representation of the first entity;

the computer detecting a movement in the display of the visual representation of the first entity from outside a boundary of the visual representation of the resource to a position substantially close to the boundary of the visual representation of the resource;

responsive to detecting the movement to the position substantially close to the boundary, the computer determining the first attribute assigned to the visual representation of the first entity satisfies the access control requirement assigned to the visual representation of the resource;

the computer determining the first entity is permitted to access the resource based on the first attribute assigned to the visual representation of the first entity satisfying the access control requirement assigned to the visual representation of the resource; and

the computer permitting a movement in the display of the visual representation of the first entity across the boundary of the visual representation of the resource and permitting a placement in the display of the visual representation of the first entity within the boundary of the visual representation of the resource based on the first entity being permitted to access the resource.

A system, program product and a process for supporting computing infrastructure where the process provides at least one support service are also described herein, where the system, program product and process for supporting computing infrastructure correspond to the aforementioned method.

Embodiments of the present invention provide a graphical method for controlling access to IT resources so that the access is intuitive, easy to use and not prone to error.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a system for controlling access to IT resources, in accordance with embodiments of the present invention.

FIG. 2 is a flowchart of a preparatory process for controlling access to IT resources, where the process is implemented in the system ofFIG. 1, in accordance with embodiments of the present invention.

FIGS. 3A-3B depict a flowchart of an operational process for controlling access to IT resources, where the process is implemented in the system ofFIG. 1, in accordance with embodiments of the present invention.

FIG. 4 is a first exemplary graphical user interface included in the system ofFIG. 1, in accordance with embodiments of the present invention.

FIG. 5 is a second exemplary graphical user interface included in the system ofFIG. 1, in accordance with embodiments of the present invention.

FIG. 6 is a block diagram of a computer system that is included in the system ofFIG. 1 and that implements the processes ofFIG. 2 andFIGS. 3A-3B, in accordance with embodiments of the present invention.

DETAILED DESCRIPTIONOverview

Embodiments of the present invention may provide a method and system for controlling access by a user or a software application to information technology (IT) resources (e.g., computer files) by using a visual rendering of an access control abstraction that includes visual representations that relate IT resources, entities accessing the IT resources, attributes of the entities, and access control requirements associated with the IT resources. The visual rendering of the access control abstraction allows a non-technical user to easily understand and manage access control. Users may use a graphical user interface (GUI) to use GUI methods (e.g., drag and drop) to directly manipulate the visual representations of members of access control sets, thereby controlling access to IT resources.

In one embodiment, a GUI allows an administrator to create a geometric shape to visually represent any type of IT resource and define the IT resource by the particular shape and by defining attributes of the shape (e.g., color, size, type of outline, etc.). Further, the GUI allows the administrator graphically manipulate who has access to the IT resources, by individual or by group. The GUI may limit the number of entities permitted to access an IT resource based on the size of the geometric shape representing the IT resource. For example, a maximum number of entities permitted to access the IT resource is determined by the maximum number of (e.g., non-overlapping) geometric shapes representing entities that are able to fit into the IT resource's geometric shape. The GUI also allows for a definition of entities that are explicitly denied access to any or all IT resources.

Visual representation and visual control of access to IT resources as disclosed herein may be implemented in any software product that includes resource access control functionality, including security products, such as the administrative console of Security Network Intrusion Prevention System (IPS) supported by Internet Security System (ISS), and Tivoli Identity Manager (TIM). ISS, IPS and TIM are offered by International Business Machines Corporation located in Armonk, N.Y.

As used herein, an IT resource is defined as a physical item or logical item being managed in an information system of an enterprise. IT resources may include, for example, disk drives, network interfaces, application servers, processors, memory, adapters, input/output devices, database applications, processes, file systems, data sets, computer files, and control or processing programs. Hereinafter, an IT resource is referred to simply as a “resource.”

As used herein an entity is defined as a person or group of persons. An entity may want or require access to a resource, and is either allowed to access the resource or is prohibited from accessing the resource.

As used herein, an attribute of an entity is defined as a characteristic or trait of an entity that describes the entity. Attributes of an entity include, for example, the entity's role in an organization, the entity's location, the entity's clearance level, etc.

System for Controlling Access to a Resource

FIG. 1 is a block diagram of a system for controlling access to IT resources, in accordance with embodiments of the present invention.System100 includes acomputer system102, which runs a software-based access control visual representation andmanagement tool104.Tool104 exchanges data with aGUI106 for graphically representing and graphically manipulating access controls that determine what resource(s) each entity is permitted to access and what other resource(s) each entity is prohibited from accessing.

Tool

104 associates each resource ofresources108 with a corresponding visual representation, and further associates one or more access controls (a.k.a. access control requirements) ofaccess controls110 with each resource ofresources108.Tool104 also associates each entity ofentities112 with a corresponding visual representation, and further associates one or more attributes ofattributes114 with each entity ofentities112.

Tool

104 initiates a display onGUI106 that includes visual representations116-1 . . .116-N of N corresponding resources, where N≧1. Hereinafter, a visual representation of a resource is also referred to as a “resource visual representation.” Although resource visual representations116-1 . . .116-N are depicted inFIG. 1 as being of the same rectangular shape, embodiments of the present invention contemplateGUI106 displaying resource visual representations having different shapes (e.g., rectangles, parallelograms, and crosses), or that displays some resource visual representations having the same shape and others having different shapes. In one embodiment, each different shape of a resource visual representation indicates a corresponding type of resource. For example, all rectangles displayed inGUI106 may indicate computer files, all displayed parallelograms may indicate data storage, and all displayed crosses may indicate applications.

The display onGUI106 initiated bytool104 includes visual representations118-1 . . .118-M of M corresponding entities, where M≧1. Hereinafter, a visual representation of an entity is also referred to as an “entity visual representation.” Although entity visual representations118-1 . . .118-M are depicted inFIG. 1 as being of the same oval shape, embodiments of the present invention contemplateGUI106 displaying entity visual representations having different shapes (e.g., ovals and hexagons), or that displays some entity visual representations having the same shape and others having different shapes. In one embodiment, each different shape of an entity visual representation indicates a corresponding type of entity. For example, each oval displayed inGUI106 may indicate a corresponding individual person, while each hexagon may indicate a corresponding group of people.

As one example,GUI106 may include rectangles that represent resources, ovals that represent entities that are individual consumers of resources, and hexagons that represent entities that are groups of individual consumers of resources. If an oval or hexagon is located within the boundary of a rectangle, then the entity represented by the oval or hexagon is allowed to access the resource represented by the rectangle. The resource represented by a rectangle may be a single resource (e.g., a document) or a collection of resources (e.g., multiple documents with the same attributes such as the same classification of “confidential”). The resource may also be an application (e.g., an accounts payable system). In addition, the entity and/or the resource can be distinguished by both shape and color. Furthermore, a resource may be subdivided into regions with different access control properties for each region. For instance, if a first region is enclosed with a dashed line, then access for entities whose representations are within the first region is “read only”, and if a second region is enclosed with a solid line, then access for entities whose representations are within the second region is “read/write”.

In addition to traditional access control concepts (i.e., assuring that an entity accessing the resource has certain attributes such as identity that match the access control requirements of the resource), embodiments of the present invention include visual representations access control requirements that address mutually exclusive access control and the concept of incompatible objects. Some entities may be mutually exclusive so that the entities are not allowed access to a particular resource at the same time. For example, Person A from company XYZ and Person B from company WXY are not permitted to access Document Q at the same time because of a legal agreement between XYZ and WXY. In this example, if a first oval representing Person A is placed in a rectangle representing Document Q, then a second oval representing Person B is not permitted to be placed in the same rectangle as long as the first oval is in the rectangle. Furthermore, some entities may be mutually required so that the entities are allowed access to a particular resource only at the same time. For example, Person A from company XYZ and Person B from company WXY may both be required to access Resource R at the same time because of a legal agreement between XYZ and WXY. In this example regarding entities that are mutually required, both a first oval representing Person A and a second oval representing Person B must be placed in the same rectangle representing Resource R prior to both Person A and Person B being granted access to Resource R. If either oval is withdrawn from the rectangle representing Resource R, then access to Resource R is terminated for the person represented by the remaining oval.

Computer system

102 may include hardware and software components, which are described below relative toFIG. 6.

The functionality of the components ofsystem100 is further described below relative toFIG. 2,FIGS. 3A-3B andFIG. 6.

Preparatory Process for Controlling Access to a Resource

FIG. 2 is a flowchart of a preparatory process for controlling access to IT resources, where the process is implemented in the system ofFIG. 1, in accordance with embodiments of the present invention. The preparatory process for controlling access to resources starts atstep200. Instep202, computer system102 (seeFIG. 1) assigns a corresponding visual representation to each resource and/or to each collection of resources. In one embodiment,step202 assigns each resource a specific shape and a specific color, and may also assign one or more resources with a specific size and/or a specific type of outline (e.g., solid line or dashed line). For example,step202 assigns rectangle shapes to all resources that are computer files, where a rectangle shape may be red to indicate that the corresponding computer files have a “top secret” security classification and another rectangle shape may be blue to indicate that the corresponding computer files have a “secret” security classification.

Instep204, computer system102 (seeFIG. 1) assigns access control requirement(s) to each resource visual representation assigned instep202. Step204 may include an assignment of any combination of the following access control requirements for each resource visual representation:

- A specific type of access may be associated with the resource visual representation. For instance, the resource may have read or read/write access by an entity.
- A specific access action may be associated with the resource visual representation. For example, the resource requires a log-in by an entity.
- A specific role-based access control may be associated with the resource visual representation. For instance, the resource is permitted to be accessed only by a member of the accounts payable department.
- A specific exclusion access control may be associated with the resource visual representation. For example, only two entities are permitted to have access to the resource at the same instant of time or within a period of time. As another example, entities having one or more particular attributes are not permitted to access the resource.

Those skilled in the art will understand that other types of access control requirements may be added to the aforementioned list.

Instep206, computer system102 (seeFIG. 1) assigns a corresponding visual representation to each entity that may access to a resource and/or a collection of resources. In one embodiment,step206 assigns each entity a specific shape and a specific color, and optionally may assign one or more entities with a specific size and/or a specific type of outline (e.g., solid line or dashed line). For example,step206 assigns oval shapes to all individuals and hexagons to all groups of people.

Instep208, computer system102 (seeFIG. 1) assign attribute(s) to each entity visual representation assigned instep206. The assigned attribute(s) are required to make access control decisions based on the access control requirements assigned instep204. Attributes assigned to an entity instep208 may include, for example, the role of the entity in an organization, the location of the entity, the clearance level of the entity, etc.

In one embodiment, steps202-208 are performed by tool104 (seeFIG. 1).

Instep210, the preparatory process of controlling access to resources ends.

Operational Process for Controlling Access to a Resource

FIGS. 3A-3B depict a flowchart of an operational process for controlling access to IT resources, where the process is implemented in the system ofFIG. 1, in accordance with embodiments of the present invention. The preparatory process ofFIG. 2 precedes the process ofFIGS. 3A-3B. The operational process for controlling access to resources starts atstep300 inFIG. 3A. Instep302, tool104 (seeFIG. 1) initiates a display in GUI106 (seeFIG. 1) of resource visual representation(s) and entity visual representation(s) which were assigned in step202 (seeFIG. 2) and step206 (seeFIG. 2), respectively. The display initiated instep302 may be presented on a display device coupled to computer system102 (seeFIG. 1) or coupled to another computer. The display initiated instep302 is hereinafter referred to simply as “the display.”

Instep304, tool104 (seeFIG. 1) detects a movement in the display of an entity visual representation from outside the boundary of a displayed resource visual representation to a position substantially close to the boundary of the resource visual representation. The resource visual representation was assigned to a resource in step202 (seeFIG. 2). Hereinafter, in the discussion ofFIGS. 3A-3B, the resource to which the resource visual representation was assigned is referred to simply as “the resource.”

Instep306, tool104 (seeFIG. 1) determines whether attribute(s) assigned in step208 (seeFIG. 2) to a displayed entity visual representation satisfies the access control requirement(s) assigned in step204 (seeFIG. 2) to the resource visual representation. The entity visual representation was assigned to an entity in step206 (seeFIG. 2). Hereinafter, in the discussion ofFIGS. 3A-3B, the entity to which the entity visual representation was assigned is referred to simply as “the entity.”

Instep308, based on the determination instep306, tool104 (seeFIG. 1) determines that the entity is permitted to access the resource or that the entity is not permitted to access the resource. Ifstep308 determines that the entity is not permitted to access the resource, then the No branch ofstep308 is taken and step310 is performed.

Instep310, tool104 (seeFIG. 1) initiates a presentation of a visual cue on the display and optionally initiates a presentation of a notification, where the visual cue and the notification indicate to a user that the entity is not permitted to access the resource. The initiation of the visual cue includes preventing a placement of the entity visual representation within the boundary of the resource visual representation. In one embodiment, preventing the placement of the entity visual representation within the boundary of the resource visual representation includes preventing a movement of the entity visual representation across the boundary of the resource visual representation.

Instep311, if tool104 (seeFIG. 1) determines there is more movement of an entity visual representation on the display, then the Yes branch ofstep311 is taken and the process ofFIGS. 3A-3B loops back tostep304. Ifstep311 determines that there is no further movement of any entity visual representations on the display, then the process ofFIGS. 3A-3B ends atstep312.

Returning to step308, if tool104 (seeFIG. 1) determines that the entity is permitted to access the resource based on the determination made instep306, then the Yes branch ofstep308 is taken andstep314 inFIG. 3B is performed.

Instep314 inFIG. 3B, tool104 (seeFIG. 1) determines whether an exclusion access control requirement was assigned to the resource visual representation in step204 (seeFIG. 2). An exclusion access control requirement indicates attribute(s) that cause an entity to be not permitted to access a resource (i.e., the entity is excluded from accessing the resource). Ifstep314 determines that an exclusion access control requirement is assigned to the resource visual representation, then the Yes branch ofstep314 is taken and step316 is performed.

Instep316, if tool104 (seeFIG. 1) determines that the exclusion access control requirement depends on the state of other entities, then the Yes branch ofstep316 is taken and step318 is performed.

Instep318, if tool104 (seeFIG. 1) determines that the exclusion access control requirement is satisfied by the state of the other entities, then the Yes branch ofstep318 is taken and step320 is performed.

Instep320, tool104 (seeFIG. 1) initiates a presentation of a visual cue on the display and optionally initiates a presentation of a notification, where the visual cue and the notification indicate to a user that the entity is not permitted to access the resource. The initiation of the visual cue includes preventing a placement of the entity visual representation within the boundary of the resource visual representation. In one embodiment, preventing the placement of the entity visual representation within the boundary of the resource visual representation includes preventing a movement of the entity visual representation across the boundary of the resource visual representation.

As an example of taking the Yes branch ofstep318, consider an exclusion access control requirement that specifies a maximum of N entities are permitted to have access to the resource at one time, where N≧1. The resource visual representation is assigned an area (hereinafter, “assigned area”) within its boundary into which a maximum of N visual representations of N entities are able to fit (seestep202 inFIG. 2). Tool104 (seeFIG. 1) detects N placements of N entity visual representations within the assigned area within the boundary of the resource visual representation. In this example, the state of the other entities relative to step318 is the number of entity visual representations that are already in the assigned area within the boundary. Furthermore, since there are already N entity visual representations in the assigned area, the movement detected in step304 (seeFIG. 3A) is determined instep318 to be the movement of an (N+1)-th entity visual representation to a position substantially close to the boundary. Tool104 (seeFIG. 1) determines that the (N+1)-th entity visual representation does not fit into the assigned area within the boundary. Based on the (N+1)-th entity visual representation not fitting into the assigned area, the Yes branch ofstep318 is taken and tool104 (seeFIG. 1) further determines that the (N+1)-th entity is not permitted to access the resource. Based on the determination that the (N+1)-th entity is not permitted to access the resource, tool104 (seeFIG. 1) prevents a placement in the display of the (N+1)-th entity visual representation within the assigned area (see step320).

Instep321, if tool104 (seeFIG. 1) determines there is more movement of an entity visual representation on the display, then the Yes branch ofstep321 is taken and the process ofFIGS. 3A-3B loops back to step304 (seeFIG. 3A). Ifstep321 determines that there is no further movement of any entity visual representations on the display, then the process ofFIGS. 3A-3B ends atstep322.

Returning to step316, if tool104 (seeFIG. 1) determines that the exclusion access control requirement does not depend on the state of other entities, then the No branch ofstep316 is taken and step324 is performed.

Instep324, if tool104 (seeFIG. 1) determines that the exclusion access control requirement is satisfied by attribute(s) assigned to the entity visual representation, then the Yes branch ofstep324 is taken and

steps

320 and322 are performed as described above.

Instep324, if tool104 (seeFIG. 1) determines that the exclusion access control requirement is not satisfied by attribute(s) assigned to the entity visual representation, then the No branch ofstep324 is taken and step326 is performed.

Instep326, tool104 (seeFIG. 1) allows a movement in the display of the entity visual representation across the boundary of the resource visual representation and a placement in the display of the entity visual representation within the boundary of the resource visual representation to indicate that the entity is permitted to access the resource. Afterstep326,step321 is performed, as described above.

Returning to step318, if tool104 (seeFIG. 1) determines that the exclusion access control requirement is not satisfied by the state of the other entities, then the No branch ofstep318 is taken and step326 followed bystep321 are performed, as described above.

Returning to step314, if tool104 (seeFIG. 1) determines that an exclusion access control requirement is not assigned to the resource visual representation, then the No branch ofstep314 is taken and step326 followed bystep321 are performed, as described above.

EXAMPLES

FIG. 4 is a first exemplary graphical user interface included in the system ofFIG. 1, in accordance with embodiments of the present invention. GUI106 (seeFIG. 1) may be, for example,GUI400, which includes resource

visual representations

Resourcevisual representation402 is a rectangle to indicate that the resource being represented is a single document. In this case,rectangle402 represents a document identified as Document_Name_—1, which is the label on the rectangle. The color ofrectangle402 indicates meta data of the document, which in this example is the security classification of the document.Rectangle402 is red to indicate that Document_Name_—1 is a document that has a “TOP SECRET” security classification. Because Document_Name_—1 has a TOP SECRET classification, access to the document is limited to a maximum of three people. The access to Document_Name_—1 being limited to three people is represented by the size ofrectangle402, which is filled up by three non-overlapping ovals that represent people.

Like resourcevisual representation402, resourcevisual representation404 is also a rectangle to indicate that the resource being represented is a single document. In this case,rectangle404 represents a document identified asDocument_Name_—2, which is the label onrectangle404. The color ofrectangle404 indicates meta data of the document being represented, which in this example is the security classification of the document.Rectangle404 is blue to indicate thatDocument_Name_—2 is a document that has a “SECRET” security classification. The line type of the outline of regions ofrectangle404 also indicates meta data of the document. In this case, a solid line as the outline ofregion410 indicates read/modify access toDocument_Name_—2 and a dashed line as the outline ofregion412 indicates read only access toDocument_Name_—2.

Resourcevisual representation406 is a cross shape to indicate that the resource being represented is an application. In this case, cross406 represents an application identified as Application_Name_—1, which is the label oncross406. The color ofcross406 indicates meta data of the application being represented, which in this example is the access role category associated with the application.Cross406 is orange to indicate that only entities whose role is Role X are permitted access to Application_Name_—1.

Resourcevisual representation408 is a parallelogram shape to indicate that the resource being represented is an information repository containing multiple documents. In this case,parallelogram408 represents an information repository identified as Information_Repository_Name_—1, which is the label onparallelogram408. The color ofparallelogram408 indicates meta data of the information repository being represented, which in this example is the security classification of the information repository.Parallelogram408 is green to indicate that Information_Repository_Name_—1 has an “OPEN ACCESS” security classification.

GUI also includes entity visual representations420-1,420-2,420-3,420-4,420-5,420-6,420-7,420-8,420-9,420-10 and420-11, which are oval shapes. Ovals420-1 through420-11 represent Person 1 through Person 11, respectively. Person 1 through Person 11 identifies 11 individual persons. Further, GUI includes entity visual representations430-1,430-2,430-3 and430-4, which are hexagon shapes. Hexagons430-1 through430-4 represent Group 1 through Group 4, respectively. Groups 1 through 4 identify four groups of people.

Ovals420-1,420-2 and420-3 are placed inrectangle402, which graphically indicates that

Persons

1,2 and3 are permitted to access Document_Name_—1.

Oval420-4 and hexagon430-3 are placed inregion410, which graphically indicates that Person 4 and persons inGroup 3 are permitted read/modify access toDocument_Name_—2.

Ovals420-5 and420-6 are placed inregion412, which graphically indicates that Person 5 and Person 6 are permitted read only access toDocument_Name_—2.

Ovals420-3 and420-7 and hexagon430-3 are placed incross406, which graphically indicates thatPerson 3, Person 7 and persons inGroup 3 are permitted to access Application_Name_—1.

Ovals420-7 and420-8 and hexagons430-2 and430-3 are placed inparallelogram408, which graphically indicates that Person 7, Person 8, persons inGroup 2, and persons inGroup 3 are permitted open access to the documents in Information_Repository_Name_—1.

Ovals420-9,420-10 and420-11, and hexagons430-1 and430-4 are not placed in any resource visual representation included inGUI400, which graphically indicates that Person 9, Person 10, Person 11, Group 1 and Group 4 have not been assigned access to the documents, information repository and application represented inGUI400.

In another embodiment, access control to end point resources by applications (a.k.a. apps) residing on a computing device (e.g., smartphone or tablet computer) is visually rendered to enable the operator of the computing device to graphically control access the computing device's resources. For example, the visual rendering of the access control on a tablet computer is depicted inGUI500 inFIG. 5.

GUI

500 includes application icons500-1,500-2,500-3,500-4,500-5,500-6,500-7,500-8,500-9,500-10,500-11,500-12,500-13 and500-14, which represent Applications 1 through 14, respectively.GUI500 also includes resource

visual representations

502 and504. Resource

visual representations

502 and504 represent the computing device's storage. Each of the resource visual representations included inGUI500 has a color associated with it, which is illustrated by a fill pattern that fills the interior of each resource visual representation. The fill pattern comprising horizontal lines in resourcevisual representation502 indicates that its color is blue. The fill pattern comprising horizontal lines in resourcevisual representation504 indicates that its color is red.

The user ofGUI500 utilizes visually-guided placement to place application icons in particular areas ofGUI500, thereby determining the access rights of the applications to the computing device's resources. In this example, applications whose icons are in a blue rectangle are permitted to read any part of the computing device's storage. Applications whose icons are in a red rectangle are permitted to read only the “public” storage of the computing device. Furthermore, applications whose icons are not in any rectangle are permitted to read and write to any part of the computing device's storage.

Therefore, application icons500-3,500-4,500-7 and500-8 are in theblue rectangle502, which graphically indicates thatApplications 3, 4 7 and 8 are permitted to read any part of the computing device's storage. Further, application icons500-11 and500-12 are in thered rectangle504, which graphically indicates that Applications 11 and 12 are permitted to read only the “public” storage of the computing device. Still further, application icons500-1,500-2,500-5,500-6,500-9,500-10,500-13 and500-14 are not inrectangle502 orrectangle504, which graphically indicates thatApplications 1, 2, 5, 6, 9, 10, 13 and 14 are permitted to read and write to any part of the computing device's storage.

Computer System

FIG. 6 is a block diagram of a computer system that is included in the system ofFIG. 1 and that implements the processes ofFIG. 2 andFIGS. 3A-3B, in accordance with embodiments of the present invention.Computer system102 generally comprises a central processing unit (CPU)602, amemory604, an input/output (I/O)interface606, and abus608. Further,computer system102 is coupled to I/O devices610 and a computerdata storage unit612.CPU602 performs computation and control functions ofcomputer system102, including carrying out instructions included inprogram code614 to perform a method of controlling access to resources, where the instructions are carried out byCPU602 viamemory604.CPU602 may comprise a single processing unit, or be distributed across one or more processing units in one or more locations (e.g., on a client and server).

Memory

604 may comprise any known computer-readable storage medium, which is described below. In one embodiment, cache memory elements ofmemory604 provide temporary storage of at least some program code (e.g., program code614) in order to reduce the number of times code must be retrieved from bulk storage while instructions of the program code are carried out. Moreover, similar toCPU602,memory604 may reside at a single physical location, comprising one or more types of data storage, or be distributed across a plurality of physical systems in various forms. Further,memory604 can include data distributed across, for example, a local area network (LAN) or a wide area network (WAN).

I/O interface606 comprises any system for exchanging information to or from an external source. I/O devices610 comprise any known type of external device, including a display device (e.g., monitor), keyboard, mouse, printer, speakers, handheld device, facsimile, etc.Bus608 provides a communication link between each of the components incomputer system102, and may comprise any type of transmission link, including electrical, optical, wireless, etc.

I/O interface606 also allowscomputer system102 to store information (e.g., data or program instructions such as program code614) on and retrieve the information from computerdata storage unit612 or another computer data storage unit (not shown). Computerdata storage unit612 may comprise any known computer-readable storage medium, which is described below. For example, computerdata storage unit612 may be a non-volatile data storage device, such as a magnetic disk drive (i.e., hard disk drive) or an optical disc drive (e.g., a CD-ROM drive which receives a CD-ROM disk).

Memory

604 and/orstorage unit612 may storecomputer program code614 that includes instructions that are carried out byCPU602 viamemory604 to control access to resources. AlthoughFIG. 6 depictsmemory604 as includingprogram code614, the present invention contemplates embodiments in whichmemory604 does not include all ofcode614 simultaneously, but instead at one time includes only a portion ofcode614.

Further,memory604 may include other systems not shown inFIG. 6, such as an operating system (e.g., Linux) that runs onCPU602 and provides control of various components within and/or connected tocomputer system102.

Storage unit

612 and/or one or more other computer data storage units (not shown) that are coupled tocomputer system102 may store resources108 (seeFIG. 1), access controls110 (seeFIG. 1), entities112 (seeFIG. 1) and/or attributes114 (seeFIG. 1).

As will be appreciated by one skilled in the art, the present invention may be embodied as a system, method or computer program product. Accordingly, an aspect of an embodiment of the present invention may take the form of an entirely hardware aspect, an entirely software aspect (including firmware, resident software, micro-code, etc.) or an aspect combining software and hardware aspects that may all generally be referred to herein as a “module”.

Furthermore, an embodiment of the present invention may take the form of a computer program product embodied in one or more computer-readable medium(s) (e.g.,memory604 and/or computer data storage unit612) having computer-readable program code (e.g., program code614) embodied or stored thereon.

A computer-readable signal medium may include a propagated data signal with computer-readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electromagnetic, optical, or any suitable combination thereof. A computer-readable signal medium may be any computer-readable medium that is not a computer-readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with a system, apparatus, or device for carrying out instructions.

Program code (e.g., program code614) embodied on a computer-readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Computer program code (e.g., program code614) for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java®, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages. Instructions of the program code may be carried out entirely on a user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server, where the aforementioned user's computer, remote computer and server may be, for example,computer system102 or another computer system (not shown) having components analogous to the components ofcomputer system102 included inFIG. 6. In the latter scenario, the remote computer may be connected to the user's computer through any type of network (not shown), including a LAN or a WAN, or the connection may be made to an external computer (e.g., through the Internet using an Internet Service Provider).

Aspects of the present invention are described herein with reference to flowchart illustrations (e.g.,FIG. 2 andFIGS. 3A-3B) and/or block diagrams of methods, apparatus (systems) (e.g.,FIG. 1 andFIG. 6), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions (e.g., program code614). These computer program instructions may be provided to one or more hardware processors (e.g., CPU602) of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which are carried out via the processor(s) of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable medium (e.g.,memory604 or computer data storage unit612) that can direct a computer (e.g., computer system102), other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions (e.g., program614) stored in the computer-readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.

The computer program instructions may also be loaded onto a computer (e.g., computer system102), other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus, or other devices to produce a computer implemented process such that the instructions (e.g., program614) which are carried out on the computer, other programmable apparatus, or other devices provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.

Any of the components of an embodiment of the present invention can be deployed, managed, serviced, etc. by a service provider that offers to deploy or integrate computing infrastructure with respect to controlling access to resources. Thus, an embodiment of the present invention discloses a process for supporting computer infrastructure, wherein the process comprises providing at least one support service for at least one of integrating, hosting, maintaining and deploying computer-readable code (e.g., program code614) in a computer system (e.g., computer system102) comprising one or more processors (e.g., CPU602), wherein the processor(s) carry out instructions contained in the code causing the computer system to control access to resources.

In another embodiment, the invention provides a method that performs the process steps of the invention on a subscription, advertising and/or fee basis. That is, a service provider, such as a Solution Integrator, can offer to create, maintain, support, etc. a process of controlling access to resources. In this case, the service provider can create, maintain, support, etc. a computer infrastructure that performs the process steps of the invention for one or more customers. In return, the service provider can receive payment from the customer(s) under a subscription and/or fee agreement, and/or the service provider can receive payment from the sale of advertising content to one or more third parties.

The flowcharts inFIG. 2 andFIGS. 3A-3B and the block diagrams inFIG. 1 andFIG. 6 illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code (e.g., program code614), which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be performed substantially concurrently, or the blocks may sometimes be performed in reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

While embodiments of the present invention have been described herein for purposes of illustration, many modifications and changes will become apparent to those skilled in the art. In another embodiment, the geometric shapes described above may be associated with labels (e.g., text labels), so that the labels distinguish between resources and/or between entities. It will be apparent to those skilled in the art howFIG. 1,FIG. 2 andFIGS. 3A-3B and the related descriptions are modified to accommodate labels associated with the geometric shapes, where the labels distinguish between resources and/or between entities. As one example, all different computer resources are represented by a common geometric appearance, where the only distinguishing attribute of the representation of each computer resource is a label. As another example, a first rectangle may be labeled with “DISK1” and a second rectangle, which is the same shape as the first rectangle, may be labeled with “MEMORY” so that identical shapes with different labels distinguish between two different resources (i.e., DISK1 and MEMORY). Accordingly, the appended claims are intended to encompass all such modifications and changes as fall within the true spirit and scope of this invention.